SANS ISC InfoSec Forums

Log/Event console picking up an unusual amount of “failed attempts” ID4776. Traced one external IP and blocked on firewall. Login attempts with various usernames still coming in. Traced some IPs to cameras inside our network. Turned cameras off but attempts are still coming in. Looks like it’s inside our network. So far, no real accounts have been compromise but this might not be for long. Anyone dealt with this type of attack before? Best approach, tools, etc.? Advise appreciated.

There is no good way to say this - your entire network is likely compromised.

Start afresh and rebuild everything, as nothing can be trusted at this point, including your backups/BIOS/firmware/routers/wifi access points/cameras and yes, even printers (especially the multifunction ones - many run embedded windows and cannot be patched easily - or it violates your warranty if you do).

If your systems contain or connect to other systems with valuable data, suggest getting an expert in to help you. SANS may be able to recommend one to you.

I would disagree with the "you are totally compromised" comment. You need to think about that when the attempts *stop*.
The important thing to consider is why exactly you have a userid/password service open to the internet - especially if you are seeing campaigns like this (and everyone is), you should be thinking about implementing a two factor authentication solution to shut these attempts down.